在过去的 2 个小时里,我在这里阅读了很多主题,做了一些更改,但我不确定事情是如何发生的以及是否已得到解决。
首先,今天早上,我收到了一封来自 OVH 的电子邮件,说我的服务器发送了大量垃圾邮件,并且我的 IP 被禁止使用端口 25,直到我修复该问题。他们还附上了导致此禁令的邮件样本:
Destination IP: 168.95.6.64 - Message-ID: [email protected] - Spam score: 391
Destination IP: 168.95.6.58 - Message-ID: [email protected] - Spam score: 371
Destination IP: 168.95.6.58 - Message-ID: [email protected] - Spam score: 371
Destination IP: 168.95.5.11 - Message-ID: [email protected] - Spam score: 371
Destination IP: 168.95.5.64 - Message-ID: [email protected] - Spam score: 371
我非常惊慌,于是我停用了 Postfix,并尝试调整设置以使其更安全:通过 webmin 在此设置
然后我检查了我的记录,但我仍然看到一些奇怪的未知联系,我不知道从哪里来,我不知道是谁,我也不知道为什么。
当前邮件日志:
May 24 15:32:12 web postfix/smtpd[19826]: connect from unknown[89.248.171.131]
May 24 15:32:12 web postfix/smtpd[19826]: disconnect from unknown[89.248.171.131]
May 24 15:32:14 web postfix/smtpd[19826]: connect from static-68-236-199-191.nwrk.east.verizon.net[68.236.199.191]
May 24 15:32:14 web postfix/smtpd[19826]: NOQUEUE: reject: RCPT from static-68-236-199-191.nwrk.east.verizon.net[68.236.199.191]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.142]>
May 24 15:32:14 web postfix/smtpd[19826]: disconnect from static-68-236-199-191.nwrk.east.verizon.net[68.236.199.191]
May 24 15:33:34 web postfix/smtpd[19826]: warning: hostname hostby.planet-telecom.eu does not resolve to address 91.197.232.50: Name or service not known
May 24 15:33:34 web postfix/smtpd[19826]: connect from unknown[91.197.232.50]
May 24 15:33:34 web postfix/smtpd[19826]: disconnect from unknown[91.197.232.50]
May 24 15:34:31 web postfix/smtpd[19826]: warning: hostname hostby.planet-telecom.eu does not resolve to address 91.197.232.50: Name or service not known
May 24 15:34:31 web postfix/smtpd[19826]: connect from unknown[91.197.232.50]
May 24 15:34:32 web postfix/smtpd[19826]: disconnect from unknown[91.197.232.50]
May 24 15:34:32 web postfix/smtpd[19826]: warning: hostname hostby.planet-telecom.eu does not resolve to address 91.197.232.50: Name or service not known
May 24 15:34:32 web postfix/smtpd[19826]: connect from unknown[91.197.232.50]
May 24 15:34:32 web postfix/smtpd[19826]: disconnect from unknown[91.197.232.50]
May 24 15:34:36 web postfix/smtpd[19826]: warning: hostname hostby.planet-telecom.eu does not resolve to address 91.197.232.50: Name or service not known
May 24 15:34:36 web postfix/smtpd[19826]: connect from unknown[91.197.232.50]
May 24 15:34:36 web postfix/smtpd[19826]: disconnect from unknown[91.197.232.50]
这是我当前的消息日志:
May 24 15:32:45 web systemd: Got automount request for /proc/sys/fs/binfmt_misc, triggered by 19554 (find)
May 24 15:32:45 web systemd: Mounting Arbitrary Executable File Formats File System...
May 24 15:32:45 web systemd: Mounted Arbitrary Executable File Formats File System.
May 24 15:33:01 web systemd: Started Session 3792 of user site1.
May 24 15:33:01 web systemd: Starting Session 3792 of user site1.
May 24 15:34:01 web systemd: Started Session 3793 of user site1.
May 24 15:34:01 web systemd: Starting Session 3793 of user site1.
May 24 15:35:01 web systemd: Started Session 3794 of user mailman.
May 24 15:35:01 web systemd: Starting Session 3794 of user mailman.
May 24 15:35:01 web systemd: Started Session 3795 of user root.
May 24 15:35:01 web systemd: Starting Session 3795 of user root.
May 24 15:35:02 web su: (to postgres) root on none
May 24 15:35:50 web clamd: SelfCheck: Database modification detected. Forcing reload.
May 24 15:35:50 web clamd[1361]: SelfCheck: Database modification detected. Forcing reload.
May 24 15:35:50 web clamd[1361]: Reading databases from /var/lib/clamav
May 24 15:35:50 web clamd: Reading databases from /var/lib/clamav
May 24 15:35:58 web clamd[1361]: Database correctly reloaded (4399850 signatures)
May 24 15:35:58 web clamd: Database correctly reloaded (4399850 signatures)
May 24 15:37:01 web systemd: Started Session 3796 of user site1.
May 24 15:37:01 web systemd: Starting Session 3796 of user site1.
我的服务器上有大约 16 个 Ips,只有一个受到垃圾邮件的影响。我刚刚在服务器上启动了恶意软件检测,如果发现任何问题,我会更新。
我主要担心的是这种情况怎么会发生?我为每个用户设置了 16 个字符的密码,例如“&VGq7T=:x\4_.cBQ”。每个网站都托管在不同的 IP 上,并且激活了不同的用户和电子邮件。我可以从旧日志中识别出来。
以下是我在发送垃圾邮件过程中的邮件日志:
May 24 14:57:31 web postfix/pickup[1457]: AE9D4221009: uid=535 from=<user2>
May 24 14:57:31 web postfix/cleanup[10527]: AE9D4221009: message-id=<[email protected]>
May 24 14:57:31 web postfix/qmgr[4581]: AE9D4221009: from=<[email protected]>, size=6059, nrcpt=1 (queue active)
May 24 14:57:32 web postfix/local[10529]: AE9D4221009: to=<[email protected]>, orig_to=<user2>, relay=local, delay=151, delays=150/0/0/0.83, dsn=5.2.0, status=bounced (can't create user output file)
May 24 14:57:32 web postfix/bounce[11771]: AE9D4221009: sender non-delivery notification: 85B3A22100E
May 24 14:57:32 web postfix/qmgr[4581]: AE9D4221009: removed
与用户2关联的网站已被关闭。
我也有很多这样的台词
May 24 14:13:08 web postfix/smtpd[28842]: warning: unknown[220.247.201.45]: SASL LOGIN authentication failed: authentication failure
我很想了解一下,想知道问题是否已经解决,以及问题可能出在哪里。这不是服务器管理员,而是匆忙处理这类问题,这很令人沮丧。但至少我在学习。我提前为我对 Postfix 缺乏基本了解而道歉。我希望我已经说得足够清楚,有人可以给我一些指导,如果需要,我可以提供更多详细信息/日志。
更新:
我可以从电脑访问电子邮件,但无法再使用 smtp。我想这和我所做的设置更改有关。
这是我的配置文件:http://pastebin.com/CuYrp4sC
答案1
SMTP 的工作方式是,您可能不想阻止它们连接……您只是想限制它们可以做的事情。
示例策略可能是: - 授权用户可以向任何人发送邮件 - 未经授权的用户只能向本地用户发送邮件
在 postfix 中,我认为这只是意味着在“mydestination”、“relayhost”和“mynetworks”配置中填写您的本地域。例如:
mydestination = mysite.com, someinternalname.company, localhost
relayhost =
mynetworks = 192.168.99.0/24 10.32.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
而且我不确定 myorigin 和 mydomain 选项是否与此相关。
但如果您真的想完全阻止它们,请使用防火墙将其从公共网络阻止。